SAN FRANCISCO–The security of data being transmitted over the Web relies on a large number of moving parts, from the integrity of the machine sending the data, to the security of the browser, to the implementation of encryption, to the fragility of the certificate authority system. Experts have been spending the best part of the last decade trying to address many of these issues, but there are still a number of hard problems to solve.
One of the most difficult of these is the way that users and browsers interact with the CA system and how the CAs handle certificate issuance and attempts to tamper with the system. In the last few years, a number of methods for addressing these issues have been proposed, and some of them show real promise, including the notion of certificate transparency. This is the work of some engineers at Google and the system is designed to provide a public log of every certificate that’s issued. The user’s browser also would receive a proof with each certificate. The logs themselves are append-only and cryptographically assured.
“When implemented, Certificate Transparency helps guard against several types of certificate-based threats, including misissued certificates, maliciously acquired certificates, and rogue CAs. These threats can increase financial liabilities for domain owners, tarnish the reputation of legitimate CAs, and expose Internet users to a wide range of attacks such as a website spoofing, server impersonation, and man-in-the-middle attacks,” Google’s description of the framework says.
The method requires the CAs to cooperate and submit their certificates to these public logs, and that’s one of the things that’s holding up its broad adoption.
“We need to get the CAs to change their behavior so they emit certificates this way,” Chris Palmer, a security engineer on the Chrome team at Google, said in a talk at TrustyCon here Thursday.
Palmer said that among the current proposal to help fix the trust problem online, he believes certificate transparency has the most potential for success. Some CAs have already committed to the idea, including Digicert and GlobalSign, one of the handful of larger certificate authorities in the world. Google is running a certificate log server and there is information available in Chrome on the certificate transparency status of a given site using SSL. Google also has set up a forum that lists certificate pushes and other issues surrounding the system.
But in order for the proposal to gain more steam, more CAs need to participate and agree to publish their certificates in this way. When that happens, it could have a significant effect on finding and revoking malicious or mistakenly issued certificates.